# -*- mode: perl; -*-
# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


## Test TLSv1.3 certificate authentication
## Similar to 04-client_auth.conf.in output, but specific for
## TLSv1.3 and post-handshake authentication

use strict;
use warnings;

package ssltests;
use OpenSSL::Test::Utils;

our @tests = (
    {
        name => "server-auth-TLSv1.3",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
        },
        test => {
            "ExpectedResult" => "Success",
        },
    },
    {
        name => "client-auth-TLSv1.3-request",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "VerifyMode" => "Request",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
        },
        test => {
            "ExpectedResult" => "Success",
        },
    },
    {
        name => "client-auth-TLSv1.3-require-fail",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "VerifyCAFile" => test_pem("root-cert.pem"),
            "VerifyMode" => "Require",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
        },
        test => {
            "ExpectedResult" => "ServerFail",
            "ExpectedServerAlert" => "CertificateRequired",
        },
    },
    {
        name => "client-auth-TLSv1.3-require",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "ClientSignatureAlgorithms" => "PSS+SHA256",
            "VerifyCAFile" => test_pem("root-cert.pem"),
            "VerifyMode" => "Request",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "Certificate" => test_pem("ee-client-chain.pem"),
            "PrivateKey" => test_pem("ee-key.pem"),
        },
        test => {
            "ExpectedResult" => "Success",
            "ExpectedClientCertType" => "RSA",
            "ExpectedClientSignType" => "RSA-PSS",
            "ExpectedClientSignHash" => "SHA256",
            "ExpectedClientCANames" => "empty"
        },
    },
    {
        name => "client-auth-TLSv1.3-require-non-empty-names",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "ClientSignatureAlgorithms" => "PSS+SHA256",
            "ClientCAFile" => test_pem("root-cert.pem"),
            "VerifyCAFile" => test_pem("root-cert.pem"),
            "VerifyMode" => "Request",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "Certificate" => test_pem("ee-client-chain.pem"),
            "PrivateKey" => test_pem("ee-key.pem"),
        },
        test => {
            "ExpectedResult" => "Success",
            "ExpectedClientCertType" => "RSA",
            "ExpectedClientSignType" => "RSA-PSS",
            "ExpectedClientSignHash" => "SHA256",
            "ExpectedClientCANames" => test_pem("root-cert.pem"),
        },
    },
    {
        name => "client-auth-TLSv1.3-noroot",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "VerifyMode" => "Require",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "Certificate" => test_pem("ee-client-chain.pem"),
            "PrivateKey" => test_pem("ee-key.pem"),
        },
        test => {
            "ExpectedResult" => "ServerFail",
            "ExpectedServerAlert" => "UnknownCA",
        },
    },
    {
        name => "client-auth-TLSv1.3-request-post-handshake",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "VerifyMode" => "RequestPostHandshake",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
        },
        test => {
            "ExpectedResult" => "ServerFail",
            "HandshakeMode" => "PostHandshakeAuth",
        },
    },
    {
        name => "client-auth-TLSv1.3-require-fail-post-handshake",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "VerifyCAFile" => test_pem("root-cert.pem"),
            "VerifyMode" => "RequirePostHandshake",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
        },
        test => {
            "ExpectedResult" => "ServerFail",
            "HandshakeMode" => "PostHandshakeAuth",
        },
    },
    {
        name => "client-auth-TLSv1.3-require-post-handshake",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "ClientSignatureAlgorithms" => "PSS+SHA256",
            "VerifyCAFile" => test_pem("root-cert.pem"),
            "VerifyMode" => "RequestPostHandshake",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "Certificate" => test_pem("ee-client-chain.pem"),
            "PrivateKey" => test_pem("ee-key.pem"),
            extra => {
                "EnablePHA" => "Yes",
            },
        },
        test => {
            "ExpectedResult" => "Success",
            "HandshakeMode" => "PostHandshakeAuth",
            "ExpectedClientCertType" => "RSA",
            "ExpectedClientSignType" => "RSA-PSS",
            "ExpectedClientSignHash" => "SHA256",
            "ExpectedClientCANames" => "empty"
        },
    },
    {
        name => "client-auth-TLSv1.3-require-non-empty-names-post-handshake",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "ClientSignatureAlgorithms" => "PSS+SHA256",
            "ClientCAFile" => test_pem("root-cert.pem"),
            "VerifyCAFile" => test_pem("root-cert.pem"),
            "VerifyMode" => "RequestPostHandshake",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "Certificate" => test_pem("ee-client-chain.pem"),
            "PrivateKey" => test_pem("ee-key.pem"),
            extra => {
                "EnablePHA" => "Yes",
            },
        },
        test => {
            "ExpectedResult" => "Success",
            "HandshakeMode" => "PostHandshakeAuth",
            "ExpectedClientCertType" => "RSA",
            "ExpectedClientSignType" => "RSA-PSS",
            "ExpectedClientSignHash" => "SHA256",
            "ExpectedClientCANames" => test_pem("root-cert.pem"),
        },
    },
    {
        name => "client-auth-TLSv1.3-noroot-post-handshake",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "VerifyMode" => "RequirePostHandshake",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "Certificate" => test_pem("ee-client-chain.pem"),
            "PrivateKey" => test_pem("ee-key.pem"),
            extra => {
                "EnablePHA" => "Yes",
            },
        },
        test => {
            "ExpectedResult" => "ServerFail",
            "HandshakeMode" => "PostHandshakeAuth",
            "ExpectedServerAlert" => "UnknownCA",
        },
    },
    {
        name => "client-auth-TLSv1.3-request-force-client-post-handshake",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "VerifyMode" => "RequestPostHandshake",
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            extra => {
                "EnablePHA" => "Yes",
            },
        },
        test => {
            "ExpectedResult" => "Success",
            "HandshakeMode" => "PostHandshakeAuth",
        },
    },
    {
        name => "client-auth-TLSv1.3-request-force-server-post-handshake",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "VerifyMode" => "RequestPostHandshake",
            extra => {
                "ForcePHA" => "Yes",
            },
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
        },
        test => {
            "ExpectedResult" => "ClientFail",
            "HandshakeMode" => "PostHandshakeAuth",
        },
    },
    {
        name => "client-auth-TLSv1.3-request-force-both-post-handshake",
        server => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            "VerifyMode" => "RequestPostHandshake",
            extra => {
                "ForcePHA" => "Yes",
            },
        },
        client => {
            "MinProtocol" => "TLSv1.3",
            "MaxProtocol" => "TLSv1.3",
            extra => {
                "EnablePHA" => "Yes",
            },
        },
        test => {
            "ExpectedResult" => "Success",
            "HandshakeMode" => "PostHandshakeAuth",
        },
    },
);
